MTU SETTING

Right now our MTU on the pix is 1500 on inside and outside.

The cisco vpn client sets up at 1300 by default.

What will it effect by changing it from 1500 to 1300 to match the vpn client default?

We use sbs echange and remote web workplace internally.

I figured its easier to change it on the pix itself, rather than re-writing the install client to match the 1500 setting on the pix. I am about to be rolling out a lot of these vpn clients so i wanted to make it as smooth as possible. Please let me know what's best and what will be effected by the change being made at the firewall. Thanks in advance.
LVL 1
jaysonfranklinAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
lrmooreConnect With a Mentor Commented:
I would highly recommend leaving the PIX interface at the default and letting the VPN client software change the client end. The clients will typically be connecting from almost anywhere. It's the network endpoint closest to the user that can affect the MTU.
I have never seen any valid reason to change the firewall's MTU with the lone exception of DSL/PPPoE connections where the PIX itself is the PPPoE client and the MTU gets adjusted to 1492 to account for the extra 8-byte PPPoE overhead.
0
 
jaysonfranklinAuthor Commented:
So, do you think leaving the vpn clients setting at 1300 while the pix outside int is at 1500 isnt a big deal?
0
 
lrmooreCommented:
I do not think it is a big deal. I think it is the right thing to do.
0
 
Tim HolmanConnect With a Mentor Commented:
Leave both MTUs alone.  If there ever becomes a case where an intermediary MTU is low enough to cause fragmentation, then there's something called PMTU Discovery that will help you out.
PMTU Discovery is a process by which a client negotiates optimum MTU with a server by means of ICMP messages.
Fortunately for us, it's built into all modern TCP/IP stacks (PIX, VPN Client and DSL networks included!), so there's really no need to muck around with MTUs anymore.  It was a bit different 10 years ago with dial-up connections, and paranoid sec admins who disabled ICMP.  But these days, one would hope things are different.  Apart from the last bit.  I still come across the odd setup where an admin has incorrectly disabled all ICMP at his/her perimeter.  It's not called 'Internet Control' MP for nothing!  :)

0
 
rsivanandanConnect With a Mentor Commented:
Agree with others on leave it alone unless there is other reasons. Now if you are thinking about changing it because your VPN Client has 1300 and PIX at 1500.

You have to imagine the connection. Say a normal packet will be 1500 odd but when you have ipsec vpn into it, you're adding more fields in it and the packet gets a little bigger, so in order to avoid fragmentation it is better to have it as 1300 (which even I find it very optimal to work while I'm in India and the pix is in US especially with voip clients).

As well, the connection type of the vpn client needs to take this into consideration. I'm sure it will be lower than the pix site ?

Cheers,
Rajesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.